At 20:38 12.06.99 +0200, you wrote:
>"William M. Perry" wrote:
>> It can be useful, but I think people are exposing entirely too much
>> information in their certificate names nowadays. Things like your title or
>> division can expose too much information about you to an attacker. If
>> someone wants to get at the financial info of aventail, and our CFO had
>> 'Chief Financial Officer' as his title whereas I just had 'Unix Dweeb' or
>> nothing, they would know who to concentrate on. :)
>>
>> Of course, this same info is available on your business card, but... :)
>
>I think that a certificate with your name and e-mail/org/ou will not hurt
>anyone: ou can be set to something like a code useful to you (not necessary
>you have to put "Project Manager" just use 01PJS456 ...)
This is security by obscurity.
When information has only local meaning,
why include it in the certificate at all ?
In your local environment it is simple to create a lookup from
certificate to Title ("Project Manager...)
By
Goetz
--
Goetz Babin-Ebell mailto:[EMAIL PROTECTED]
TC Trust Center for Security http://www.trustcenter.de
in Data Networks GmbH Tel.: +49-40-766 29 3301
Am Werder 1 / 21073 Hamburg / Germany Fax.: +49-40-766 29 577
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
